'Trust Us With More Data,' Say Government Agencies Hacked By A 16-Year-Old
from the the-best-defense-is-calls-for-encryption-bans,-apparently dept
We live in a world where a 16-year-old who goes by the handle of "penis" on Twitter can dive into the servers of two of America's most secure federal agencies and fish out their internal files.
This 16-year-old is allegedly part of the same crew that socially engineered their way into the inboxes of CIA director John Brennan, Director of National Intelligence James Clapper and the administration's senior advisor on science and technology, John Holdren.
We also -- somehow -- live in a world where these same agencies are arguing they should be entrusted with massive amounts of data -- not just on their own employees, but on thousands of US citizens.
The DHS, FBI and NSA all want more data to flow to them -- and through them. The cybersecurity bill that legislators snuck past the public by attaching it as a rider to a "must pass" appropriations bill contains language that would allow each of these affected agencies to partake in "data sharing" with private companies. This would be in addition to the data these agencies already gather on American citizens as part of their day-to-day work.
The DHS -- one of the more recent hacking victims -- is the only agency that expressed a reluctance to partake in the new data haul. This isn't because it wouldn't like to have access to the data, but because it would be the agency responsible for "scrubbing" the data before passing it on to other agencies. DHS officials likely took a look at this requirement and saw it for what it was: a scapegoat provision. Should any legal action or public outcry have resulted from the new "sharing" demands, the DHS would have been the agency offered up to appease the masses.
Fortunately for the DHS -- but less fortunately for anyone concerned about expanding domestic surveillance efforts -- this requirement has been altered. A bit. The Attorney General will now examine the DHS's "scrubbing" efforts and determine whether or not they're Constitutionally adequate. Of course, the Attorney General is more likely to side with whatever level of scrubbing provides the maximum flow of data to underling agencies like the FBI, so that's not all that reassuring. On the other hand, it puts the AG in the crosshairs should something backfire.
This is the government that feels it can protect the nation from hackers: the government that can't protect itself from hackers.
The IRS seems to suffer from attacks almost daily, thanks to its treasure trove of social security numbers, addresses and other personally identifiable information. The OPM -- which oversees federal hiring -- coughed up plenty of the same personal info when it was hacked.
The agencies involved in the cybersecurity efforts have shrugged at the government's inability to protect personal information, arguing that these hacks only highlight how essential the new cybersecurity legislation is. More power and more data is what's needed, apparently, not an internal effort to shore up security before foisting their demands on the private sector. The government can't protect itself against politically-motivated teenagers. What chance does it have against organized criminals or state-sponsored attacks?
It's insanity. It's like hearing Wal-Mart claim -- after a large data breach -- that the best way to ensure this doesn't happen in the future is to allow it to store customer data collected by its competitors as well. Why make criminals and hackers work harder? Why not house as much data as possible in fewer locations?
To make matters worse, agencies like the FBI and NSA are pushing for greater offensive capabilities, all the while claiming they're very interested in defending the nation against cyberattacks. The two efforts are at odds. One side needs security holes to exploit. The other side needs holes closed as quickly as possible. Even without access to black book budgets, one can easily assume the offensive side will be receiving the majority of funding and manpower. When a vulnerability is discovered, who decides how it's used: the fixers or the exploiters?
The NSA thinks there's no inherent friction in playing both sides. It has decided -- against the recommendations of the President's Review Group -- to merge its defensive and offensive cybersecurity wings. The NSA is the only entity that doesn't see this as a problem. Nicholas Weaver, writing for Lawfare, explains exactly why it shouldn't be doing this.
[T]he... job of protecting US interests generally is far harder. This mission requires that the Agency work with industry as an honest broker. It cannot be seen as intent on using information gathered to sabotage industry's customers or general system security. The trust necessary for this job went up in smoke following the Snowden revelations, which revealed both the vastness of the SIGINT mission and at least one explicit betrayal of the core IA mission. NSA has a long, long way to go in rebuilding this trust.Defense isn't something these agencies care about. It may occasionally occur as a result of offensive efforts but it's never the focus. There are no "good guy only" exploits just as certainly as there are no "good guy only" encryption backdoors. The government will never be able to secure its own backyard as long as it believes developing weapons is more important than hardening defenses.
[...]
The NSA should abandon the merger plans because—regardless of the technical merits—the offensive-defensive merger is viewed by the world as a substantially untrustworthy act. I recognize that offense is part of practicing good defense. But you don't see me writing botnets or high-speed worms. Or breaking into systems without permission. Or providing information to those who do. I manage to defend systems without offense as a core mission, and my defense is not likely to be improved by giving offense a leg up.
The FBI would rather break into servers halfway around the world and run child porn sites as honeypots than work with other entities to improve their defenses. After all, if someone is hacked, the FBI can always hunt down the perpetrator. As an investigative agency, this makes sense. But it doesn't make sense when the same agency claims it wants to be part of information sharing related to cyberdefense. It's only interested in offensive actions. It only wants evidence and leads.
The DHS, despite containing the words "Homeland Security," isn't truly interested in securing the homeland either -- at least not to the extent that it's interested in opening its own investigations. The NSA is much more in its element performing surveillance and exploiting compromised systems -- neither of which can be considered "defensive" efforts.
In fact, despite the bill's passage, there is no government body tasked solely with the defensive side of "cybersecurity" -- which would seem to be the key element. Defense is apparently meant to be folded in with the rest of their normal activities. Supporters of the legislation think the key is information sharing. It could be, but government agencies have proven over the years they're incapable (or unwilling) to share information with each other. How another layer of government non-sharing is supposed to result in better security is unexplained. Private entities are expected to believe the Cybersecurity Act will turn everyone involved into one big team, but the reality is that it will do little more than add to stores of personal information the government has already proven unable to defend.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cia, data, hacked, james clapper, john brennan, mass surveillance, nsa, surveillance, trust
Reader Comments
The First Word
“They're building the wrong thing
and in doing so, they're making a mistake that we see quite often. They think they're building a weapon that will be useful in the "war" on terror or against crime. But in reality, they're building a target -- an enormous, valuable motherlode of data that all kinds of adversaries will attack.Why?
Because there are two ways to acquire vast amounts of useful intelligence: the first is tediously acquire, catalog, and store it. The second, which is often vastly easier and cheaper, is to let someone else do the hard work -- and then steal it from them.
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
Of course they are under control - but not by those who we are told should be.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
I find it odd that the government keeps arguing for weak encryption on smartphones and yet their own networks are so insecure that a 16 year old teenager can crack their own networks?
The government needs to find this 16 year old teenager and hire him to secure their networks.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
... yeah, that makes the government look so much better.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Yes, I'm dreaming!
[ link to this | view in chronology ]
Re:
If you pay attention, the hack was "social engineering" and not some major network failure. It's about convincing or tricking someone with high enough access to give up their user name and password because they think they should or have to.
The only way you avoid that hack is to get rid of the wetware.
[ link to this | view in chronology ]
Re: Re:
Why this will never happen? Because it would make things more difficult for higher-ups who screw up and need to recover their password, who would throw fits over having to travel anywhere or remember something else.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
and this outfit wants a backdoor to all of our security
[ link to this | view in chronology ]
[ link to this | view in chronology ]
They Don't Care...
They don't care about your liberty or rights, no exception...
They don't care about the nation, except when forced to care...
They do care to have information on you so that YOU can be put down like a dog when they have decided you no longer need to be a citizen.
There is not a single president standing that will benefit this nation, each on carries either a police state mentality or a national suicide plan.
[ link to this | view in chronology ]
Re: They Don't Care...
[ link to this | view in chronology ]
They're building the wrong thing
Why?
Because there are two ways to acquire vast amounts of useful intelligence: the first is tediously acquire, catalog, and store it. The second, which is often vastly easier and cheaper, is to let someone else do the hard work -- and then steal it from them.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
So they want to drown in a sea of data
Those three letter agencies should be careful what they wish for, they just might get what ask for.
I'd love to see the look on the director's of those's groups faces when he or she realizes they've effectively become little more than an always on camera.
If such a mandate ever came to pass, those three letter acronyms would have to sift through every iota of every us citizen ad infinitum, all in the name of national security.
[ link to this | view in chronology ]
This doesn't look good for a government who argues that technology companies should make their devices more insecure at a time when the government can't even secure their own networks.
Until the government starts doing a better job at securing their networks, they shouldn't be arguing anything before the courts, or for that matter, the public.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
dATA/INFORMATION CONTROLS
you want to SORT all data..
You dont want ANYONE to have encryption..
This is old..They have tried to monitor things for along time, but Compression and encryption make things abit HARD..
After getting TONS AND TONS of day, decrypting it takes MORE time..
They need everyone to NOT encrypt things..so they can Sort it out easier..
Anyone here, understand the AMOUNTS of data, per day, sent on the internet? JUST in the USA..
Want to Cut this back to just Cellphone calls, and CHAT channels? it would STILL fill a 20x20 room 4-6 feet HIGH in PAPER..
Does not include Game channels to chat..
I dont care how you sort it, or HOW big a computer you have...IF you are monitoring the WORLD, the amopunt of data compared to JUST the USA...would require the resources of Every person in the USA to monitor, sort, and pass on the data to SOME ONE WHO CARES..
[ link to this | view in chronology ]
To be fair to the agencies...
[ link to this | view in chronology ]
16
[ link to this | view in chronology ]
Re: 16
The linked Motherboard piece says nothing about Mr. penis being a 16-year-old. Only that he 'wishes to remain anonymous.'
[citation needed], Tim.
[ link to this | view in chronology ]